19a90eef0f52ce9d9ece0aa3d560f9bdd469b7c0b780fd2269ba9082b001ca00

Analysis

max time kernel
99s
max time network
129s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
14-03-2023 12:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5183806092083307240, United Kingdom.doc
Size

548.3MB
MD5

8ad41b75ac260ad12600a77dbf27de25
SHA1

fcf2484ae2913cefe5de026ef39b2537bda10138
SHA256

33a483e9a68e674ba8166300aa38d19197b1ee5bb72ff784a9e48797c5337c9b
SHA512

e9f481765d140bf3a0c716a1f138d75b0b3b12333f84dc9820efa01a2557b4e93797545497937fc82f1e752fc93c3967ddf7639503046fd2d532eecb0783709c
SSDEEP

6144:1620tqUx3Xu+7ZkRIDNGi9a0Va5UAClo:1620tqm3+I2ezcz5U3lo

Score

10^/10

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

regsvr32.exe

description	pid	pid_target	process	target process
Parent C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE is not expected to spawn this process	1748	2044	regsvr32.exe	WINWORD.EXE

Office loads VBA resources, possible macro or embedded object present

Modifies Internet Explorer settings 1 TTPs 9 IoCs

adware spyware

Modify Registry

T1112

Processes:

WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	WINWORD.EXE
Key created	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	WINWORD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	WINWORD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	WINWORD.EXE

Script User-Agent 4 IoCs

Uses user-agent string associated with script host/environment.

Processes:

description	flow	ioc
HTTP User-Agent header	2	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	3	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	10	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	15	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

WINWORD.EXE

pid process

2044 WINWORD.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

WINWORD.EXE

pid process

2044 WINWORD.EXE
2044 WINWORD.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

WINWORD.EXE

pid process

2044 WINWORD.EXE
2044 WINWORD.EXE

pid	process
2044	WINWORD.EXE

pid	process
2044	WINWORD.EXE
2044	WINWORD.EXE

pid	process
2044	WINWORD.EXE
2044	WINWORD.EXE

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\5183806092083307240, United Kingdom.doc"
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2044

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\130316.tmp"
2⤵
- Process spawned unexpected child process
PID:1748

C:\Windows\system32\regsvr32.exe
/s "C:\Users\Admin\AppData\Local\Temp\130316.tmp"
3⤵
PID:1040

C:\Windows\system32\regsvr32.exe
C:\Windows\system32\regsvr32.exe "C:\Windows\system32\VYIYijhCG\ojeDbpvUXas.dll"
4⤵
PID:1904

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
beb686654aa974706bc4af424626964c

SHA1
2922e0a2908de297cf60ad92c80032ad47192aae

SHA256
00311eb0310d52b5c7d5ef203d6b1d9db4a0e6b6f7503447dfbfc2f66f428027

SHA512
e7adc39017a584fcd258d8d64d6c9235dc6cb3424d853831300f52b53fe3d81c733844092e8c199320b9a9b17e6072ed45702700c56e8d8f5abdf4f534894250

Download Submit
C:\Users\Admin\AppData\Local\Temp\130316.tmp
Filesize
287.6MB

MD5
0450bdf8970c2fce147f17c2db26ed6d

SHA1
c9b6d1c6c2744bd8de1b2a209bb0c8bd758477a9

SHA256
a7424369114c2df2ee8000afd1253ca94c77f5a492896e894131caf58dd0434a

SHA512
b75f55b4e0718162dd5065a504cb368c2a50cc06cb388de34862b1a7df824c35b7b4aaa458798c22cba7cab987fc21b983c7037177a4ec646a8076881e7acf17

Download Submit
C:\Users\Admin\AppData\Local\Temp\130436.zip
Filesize
831KB

MD5
c0cdaa24b56f503284fb7cae16f8eb27

SHA1
bcc2570a9a8d1251a9a2a11879987b88a07b3d91

SHA256
19659efa60a2e570b1b4cf506fae989666edb36720dcc978afbe8a53561fd433

SHA512
8662d34401a03d9d0fea8f288a56b0f1dcb8265e14390240c8f8dc2cf9526bcf26895c208d5b09201965076edcc25607600ffc0a435a81a78c5758d52b2cb7ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabADEF.tmp
Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAF9C.tmp
Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\Normal.dotm
Filesize
20KB

MD5
837cb1b498aa255849ee1c2f1fa2147e

SHA1
f1c9d2397989b030fc5e6fa3759b1d1d0afd7c94

SHA256
209f5e9760d0912846d3ecc6eeda6fec2b23be9000ac3336b67a4df00c22f780

SHA512
077fbf998ffaf5047d2a4db36fb17a28d532e91aa47d74084e8b339c2ef05d071b3083ec330f6b4399e529b83c980ad09a48e416fe28eaeefb5a13c87df66cb8

Download Submit
\Users\Admin\AppData\Local\Temp\130316.tmp
Filesize
184.7MB

MD5
0bc7d10eb327a8c1c8ae2b098388e75a

SHA1
538e7e37e2116fec112e85fe09a44561cde51116

SHA256
14de730c96ae9869593eefdc6995023bef4d51b5f970bae6579c33cfc2f6ed87

SHA512
7ea0013eab131a89ca3a95c5eb2a5ace7b67f5075be6d54013f65571851a944841580e80944a2a40d8443a839bfa4aa5288d209dae7ff602b40974bf186aa7a1

Download Submit
\Users\Admin\AppData\Local\Temp\130316.tmp
Filesize
286.4MB

MD5
9adc9f142ddac25488e0a50c6c7baffe

SHA1
8afbac268ca510e8176bf07fd24c306af4dec0e2

SHA256
e1858463178e92844e8632f2ddf523224fc60ce1e73d35b2184f21a0f602d500

SHA512
e6f71a7c1e3e74b02413aee77687fdab61307fa93f7fa661f36ce421b7912fa32730fa90efe6c61ba8d4f30675177bd0ef3c946e3c34e47fa282ba85ac3c4b82

Download Submit
memory/1040-1412-0x00000000004A0000-0x00000000004A1000-memory.dmp

Filesize
4KB

Download
memory/1904-1418-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2044-89-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-183-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-93-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-95-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-96-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-99-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-98-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-100-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-97-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-94-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-88-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-86-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-101-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-124-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-169-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-92-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-91-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2044-90-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-87-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-81-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-1215-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/2044-82-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-84-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-85-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-83-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-1413-0x00000000062D0000-0x00000000062D1000-memory.dmp

Filesize
4KB

Download
memory/2044-80-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download
memory/2044-79-0x00000000001A0000-0x00000000002A0000-memory.dmp

Filesize
1024KB

Download